<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/04/2013 07:14 AM, Joseph, Matthew
(EXP) wrote:<br>
</div>
<blockquote
cite="mid:543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:LiberationMono;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m trying to setup a replica server with
ipa-2.2.0-16 on both the Server and the Replica Server.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here are the steps I ran (From the Red Hat
6.3 IdM Administration Guide);<o:p></o:p></p>
<p class="MsoNormal">------------------------<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:10.0pt;font-family:LiberationMono">IPA_Server:<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:LiberationMono">ipa-replica-prepare
ipareplica.example.com --ip-address 192.168.1.2<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:LiberationMono;color:#5C3566">scp
</span><span
style="font-size:10.0pt;font-family:LiberationMono;color:black">/var/lib/ipa/replica-info-ipareplica.example.com.gpg
root@ ipareplica:/var/lib/ipa/<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:LiberationMono;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span
style="font-size:10.0pt;font-family:LiberationMono;color:black">IPA_Replica:<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:LiberationMono">ipa-replica-install
--setup-ca --setup-dns
/var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10.0pt;font-family:LiberationMono">------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div
style="mso-element:para-border-div;border:none;border-bottom:solid
windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p class="MsoNormal" style="border:none;padding:0in">Below is
the error I am getting when running ipa-replica-install;<o:p></o:p></p>
<p class="MsoNormal" style="border:none;padding:0in"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Directory Manager (existing master)
password: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Run connection check to master<o:p></o:p></p>
<p class="MsoNormal">Check connection from replica to remote
master 'IPA_Server.domain.ca':<o:p></o:p></p>
<p class="MsoNormal"> Directory Service: Unsecure port (389):
OK<o:p></o:p></p>
<p class="MsoNormal"> Directory Service: Secure port (636): OK<o:p></o:p></p>
<p class="MsoNormal"> Kerberos KDC: TCP (88): OK<o:p></o:p></p>
<p class="MsoNormal"> Kerberos Kpasswd: TCP (464): OK<o:p></o:p></p>
<p class="MsoNormal"> HTTP Server: Unsecure port (80): OK<o:p></o:p></p>
<p class="MsoNormal"> HTTP Server: Secure port (443): OK<o:p></o:p></p>
<p class="MsoNormal"> PKI-CA: Directory Service port (7389):
OK<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The following list of ports use UDP
protocol and would need to be<o:p></o:p></p>
<p class="MsoNormal">checked manually:<o:p></o:p></p>
<p class="MsoNormal"> Kerberos KDC: UDP (88): SKIPPED<o:p></o:p></p>
<p class="MsoNormal"> Kerberos Kpasswd: UDP (464): SKIPPED<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Connection from replica to master is OK.<o:p></o:p></p>
<p class="MsoNormal">Start listening on required ports for
remote master check<o:p></o:p></p>
<p class="MsoNormal">Get credentials to log in to remote master<o:p></o:p></p>
<p class="MsoNormal"><a class="moz-txt-link-abbreviated" href="mailto:admin@domain.ca">admin@domain.ca</a> password: <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Execute check on remote master<o:p></o:p></p>
<p class="MsoNormal">Check connection from master to remote
replica 'IPA_Replica.domain.ca':<o:p></o:p></p>
<p class="MsoNormal"> Directory Service: Unsecure port (389):
OK<o:p></o:p></p>
<p class="MsoNormal"> Directory Service: Secure port (636): OK<o:p></o:p></p>
<p class="MsoNormal"> Kerberos KDC: TCP (88): OK<o:p></o:p></p>
<p class="MsoNormal"> Kerberos KDC: UDP (88): OK<o:p></o:p></p>
<p class="MsoNormal"> Kerberos Kpasswd: TCP (464): OK<o:p></o:p></p>
<p class="MsoNormal"> Kerberos Kpasswd: UDP (464): OK<o:p></o:p></p>
<p class="MsoNormal"> HTTP Server: Unsecure port (80): OK<o:p></o:p></p>
<p class="MsoNormal"> HTTP Server: Secure port (443): OK<o:p></o:p></p>
<p class="MsoNormal"> PKI-CA: Directory Service port (7389):
OK<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Connection from master to replica is OK.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Connection check OK<o:p></o:p></p>
<p class="MsoNormal">Configuring ntpd<o:p></o:p></p>
<p class="MsoNormal"> [1/4]: stopping ntpd<o:p></o:p></p>
<p class="MsoNormal"> [2/4]: writing configuration<o:p></o:p></p>
<p class="MsoNormal"> [3/4]: configuring ntpd to start on boot<o:p></o:p></p>
<p class="MsoNormal"> [4/4]: starting ntpd<o:p></o:p></p>
<p class="MsoNormal">done configuring ntpd.<o:p></o:p></p>
<p class="MsoNormal">Configuring directory server for the CA:
Estimated time 30 seconds<o:p></o:p></p>
<p class="MsoNormal"> [1/3]: creating directory server user<o:p></o:p></p>
<p class="MsoNormal"> [2/3]: creating directory server instance<o:p></o:p></p>
<p class="MsoNormal"> [3/3]: restarting directory server<o:p></o:p></p>
<p class="MsoNormal">done configuring pkids.<o:p></o:p></p>
<p class="MsoNormal">Configuring certificate server: Estimated
time 3 minutes 30 seconds<o:p></o:p></p>
<p class="MsoNormal"> [1/13]: creating certificate server user<o:p></o:p></p>
<p class="MsoNormal"> [2/13]: creating pki-ca instance<o:p></o:p></p>
<p class="MsoNormal"> [3/13]: configuring certificate server
instance<o:p></o:p></p>
<p class="MsoNormal"> [4/13]: disabling nonces<o:p></o:p></p>
<p class="MsoNormal"> [5/13]: creating RA agent certificate
database<o:p></o:p></p>
<p class="MsoNormal"> [6/13]: importing CA chain to RA
certificate database<o:p></o:p></p>
<p class="MsoNormal"> [7/13]: fixing RA database permissions<o:p></o:p></p>
<p class="MsoNormal"> [8/13]: setting up signing cert profile<o:p></o:p></p>
<p class="MsoNormal"> [9/13]: set up CRL publishing<o:p></o:p></p>
<p class="MsoNormal"> [10/13]: set certificate subject base<o:p></o:p></p>
<p class="MsoNormal"> [11/13]: enabling Subject Key Identifier<o:p></o:p></p>
<p class="MsoNormal"> [12/13]: configuring certificate server
to start on boot<o:p></o:p></p>
<p class="MsoNormal"> [13/13]: Configure HTTP to proxy
connections<o:p></o:p></p>
<p class="MsoNormal">done configuring pki-cad.<o:p></o:p></p>
<p class="MsoNormal">Restarting the directory and certificate
servers<o:p></o:p></p>
<p class="MsoNormal">Configuring directory server: Estimated
time 1 minute<o:p></o:p></p>
<p class="MsoNormal"> [1/30]: creating directory server user<o:p></o:p></p>
<p class="MsoNormal"> [2/30]: creating directory server
instance<o:p></o:p></p>
<p class="MsoNormal"> [3/30]: adding default schema<o:p></o:p></p>
<p class="MsoNormal"> [4/30]: enabling memberof plugin<o:p></o:p></p>
<p class="MsoNormal"> [5/30]: enabling referential integrity
plugin<o:p></o:p></p>
<p class="MsoNormal"> [6/30]: enabling winsync plugin<o:p></o:p></p>
<p class="MsoNormal"> [7/30]: configuring replication version
plugin<o:p></o:p></p>
<p class="MsoNormal"> [8/30]: enabling IPA enrollment plugin<o:p></o:p></p>
<p class="MsoNormal"> [9/30]: enabling ldapi<o:p></o:p></p>
<p class="MsoNormal"> [10/30]: configuring uniqueness plugin<o:p></o:p></p>
<p class="MsoNormal"> [11/30]: configuring uuid plugin<o:p></o:p></p>
<p class="MsoNormal"> [12/30]: configuring modrdn plugin<o:p></o:p></p>
<p class="MsoNormal"> [13/30]: enabling entryUSN plugin<o:p></o:p></p>
<p class="MsoNormal"> [14/30]: configuring lockout plugin<o:p></o:p></p>
<p class="MsoNormal"> [15/30]: creating indices<o:p></o:p></p>
<p class="MsoNormal"> [16/30]: configuring ssl for ds instance<o:p></o:p></p>
<p class="MsoNormal"> [17/30]: configuring certmap.conf<o:p></o:p></p>
<p class="MsoNormal"> [18/30]: configure autobind for root<o:p></o:p></p>
<p class="MsoNormal"> [19/30]: configure new location for
managed entries<o:p></o:p></p>
<p class="MsoNormal"> [20/30]: restarting directory server<o:p></o:p></p>
<p class="MsoNormal"> [21/30]: setting up initial replication<o:p></o:p></p>
<p class="MsoNormal">Starting replication, please wait until
this has completed.<o:p></o:p></p>
<p class="MsoNormal">[IPA_Server.domain.ca] reports: Update
failed! Status: [-11 - System error]<o:p></o:p></p>
<div
style="mso-element:para-border-div;border:none;border-bottom:solid
windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p class="MsoNormal" style="border:none;padding:0in">creation
of replica failed: Failed to start replication<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Also in the error
log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following
error;<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">NSMMReplicationPlugin –
agmt=”cn=metoIPA_Server.domain.ca” (ipa_server:389): Replica
has a different generation ID than the local data.</p>
</div>
</blockquote>
This is probably just fallout from the replica initialization
failure. If a replica is never initialized, it will get a
generation ID mismatch error when the master contacts it.<br>
<blockquote
cite="mid:543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any thoughts or ideas on this issue?
Searching google I don’t see anyone getting the Status:-11 –
System Error.</p>
</div>
</blockquote>
There was a bug in 389-ds-base that was fixed a while back where
negative LDAP error codes were all printed as "System Error". The
-11 is a connection error. Here is how it is defined in
/usr/include/ldap.h:<br>
<br>
#define LDAP_CONNECT_ERROR (-11)<br>
<br>
It sounds like this connection error is occurring when it tries to
initialize the replica. It might help to enable replication level
logging on the master, then trying to run ipa-replica-install
again. The errors in the 389 DS errors log might point to the
problem. To enable replication level logging, you can perform the
following operation with ldapmodify as "cn=Directory Manager":<br>
<br>
------------------------------------------<br>
dn: cn=config<br>
changetype: modify<br>
replace: nsslapd-errorlog-level<br>
nsslapd-errorlog-level: 8192<br>
------------------------------------------<br>
<br>
When you are finished debugging the issue, don't forget to change
the log level back to "0".<br>
<br>
-NGK<br>
<blockquote
cite="mid:543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Matt<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</body>
</html>